Security audit

Cashclaw Email Outreach

Security checks across malware telemetry and agentic risk

Overview

This skill is a narrowly scoped staff workflow for drafting, sending, and recording ClawHub content-rights case emails with explicit signoff controls.

Install only for trusted ClawHub staff workflows. Before using it, confirm there is an existing CHR case and review the exact recipient, subject, and body before approving any send, because the skill can send real emails and preserve case records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest description is broad enough to match generic email-writing requests without clearly constraining when this skill should be invoked. That can cause inappropriate auto-selection over safer or more specialized skills, exposing users to unsolicited outreach content generation and compliance-sensitive workflows in contexts where they did not explicitly request cold-email behavior.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal